Electron-forge 和 osx 签名应用程序导致“二进制文件签名不正确”。

Question

我使用以下“功能”开发了一个电子应用程序：

• 基础：Electron-Forge：开始、制作和发布
• Electron open-url 功能 [Schemes: xx-note]
• node-keytar：获取和设置密码
• Frameless App : 透明窗口
• Auto-Update 和 Nucleus：在 W10 上工作
• Start on login

如果我不签署它，我运行应用程序并构建它没有问题，但要使自动更新工作，我绝对需要签署它。 （这对我的客户更好）。

不幸的是，当我签署它并尝试在 Big Sur 上运行它时，我收到以下消息：

来自取景器：

您无权打开应用“XX”

联系您的计算机或网络管理员寻求帮助。

从终端：

The application cannot be opened for an unexpected reason,
error=Error Domain=NSOSStatusErrorDomain Code=-10826 "kLSNoLaunchPermissionErr: User doesn't have permission to launch the app (managed networks)" 
UserInfo={_LSFunction=_LSLaunchWithRunningboard, _LSLine=2539, NSUnderlyingError=0x7f98fe4166d0 {Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." 
UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x7f98fe418060 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" 
UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 153}}}}}

而且，在这两种情况下，我在Console/system.log 中都有这条消息：

May  3 11:00:32 XX com.apple.xpc.launchd[1] (application.ai.XX.note-taking.39302547.39303101[25454]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Users/XX/Documents/XX/mr/XX-desktop/out/XX-darwin-x64/XX.app/Contents/MacOS/XX_Taking-Note:
      Code has restricted entitlements, but the validation of its code signature failed.
    Unsatisfied Entitlements: 
May  3 11:00:32 XX com.apple.xpc.launchd[1] (application.ai.XX.note-taking.39302547.39303101[25454]): Binary is improperly signed.

卡特琳娜：

我的同事从 Catalina 启动它并收到此错误消息

System Integrity Protection: enabled
Crashed Thread:        0
Exception Type:        EXC_CRASH (Code Signature Invalid)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY
Termination Reason:    Namespace CODESIGNING, Code 0x1

我的应用是如何签名的？

将 [electron-osx-sign][8] 和 [electron-notarize][8] 与 forge 配置一起使用：

packagerConfig:  {
    appBundleId: 'ai.XX.note-taking',
    executableName: BUILD_NAME, //XX
    name: APP_NAME, //XX
    icon: iconPath,
    overwrite: true,
    asar: true,

    extendInfo: './info.extends.plist',

    protocols: {
      name: 'XX-note',
      schemes: ['XX-note'],
    },

    osxSign: {
      identity: OSX_CREDENTIALS.SIGN_ID, // Developer ID Application: TeamName (MYTEAMID)
      'hardened-runtime': true,
      entitlements: 'entitlements.plist',
      'entitlements-inherit': 'entitlements.plist',
      'entitlements-loginhelper': 'login.entitlements.plist',
      'signature-flags': 'library',
      // https://github.com/electron/electron-notarize/issues/54
      'gatekeeper-assess': false,
      verbose: true,
    },
    osxNotarize: {
      // appBundleId: 'ai.XX.note-taking', // (TESTED WITH & WITHOUT)
      appleId: OSX_CREDENTIALS.ID, // me@XX.ai"
      appleIdPassword: OSX_CREDENTIALS.PASSWORD, // app password
      // ascProvider: 'MYTEAMID', // (TESTED WITH & WITHOUT)
    },

codesign --verify --verbose XX.app

out/XX-darwin-x64/XX.app: valid on disk
out/XX-darwin-x64/XX.app: satisfies its Designated Requirement

我的.plist

login.entitlements.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

info.extends.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>CFBundleURLTypes</key>
    <array>
      <dict>
        <key>CFBundleURLSchemes</key>
        <array>
          <string>XX-note</string>
        </array>
      </dict>
    </array>
    <key>NSDocumentsFolderUsageDescription</key>
    <true />
    <key>ElectronTeamID</key>
    <string>MYTEAMID</string>
    <key>NSAppTransportSecurity</key>
    <dict>
      <key>NSAllowsArbitraryLoads</key>
      <false/>
      <key>NSAllowsLocalNetworking</key>
      <true/>
    </dict>
  </dict>
</plist>

entitlements.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

真心希望你能帮帮我，我真的尽力给你了，已经三天多没解决我的问题了。

已经尝试过

• developer.apple.com/forums/thread/666611?page=5
• github.com/ElmarJ/Waterlooplein3D/issues/86
• bestofreactjs.com/repo/infinitered-reactotron-react-development-tools
• stackoverflow.com/questions/64842819/cant-run-app-because-of-permission-in-big-sur
• github.com/upx/upx/issues/424
• github.com/Squirrel/Squirrel.Mac/issues/204
• github.com/Hardocs/desktop-app/issues/56
• discussions.apple.com/thread/526166
• ...还有更多

Answer 1

我使用本教程解决了这个问题：https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

还有这个问题https://github.com/electron-userland/electron-builder/issues/3940

我的最终配置是：

    osxSign: {
      identity: 'Developer ID Application: MyTeam (TEAMID)',
      'hardened-runtime': true,
      entitlements: 'mac/entitlements.plist',
      'entitlements-inherit': 'mac/entitlements.plist',
      'signature-flags': 'library',
      // https://github.com/electron/electron-notarize/issues/54
      'gatekeeper-assess': false,
      verbose: true,
    },

    osxNotarize: {
      appleId: 'myemail',
      appleIdPassword: 'mypassword',
    },

而mac/entitlements.plist 是：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>